Re: SSL/CRL Problem - Error 12 (Expired)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

BTW, one other piece of possible information:  We found that if we put all the PEMs for the CRLs into one big file and then used the SSLCACertificateRevocationFile directive instead of the SSLCACertificateRevocationPath directive and the hashes in the directory, then we don't get the Error 12/Expired CRL errors.

Jim


--------------------------------------------
On Mon, 3/7/16, o haya <ohaya@xxxxxxxxx.INVALID> wrote:

 Subject:  SSL/CRL Problem - Error 12 (Expired)
 To: users@xxxxxxxxxxxxxxxx
 Cc: ohaya@xxxxxxxxx
 Date: Monday, March 7, 2016, 8:43 PM
 
 Hi,
 
 I'm not sure if I should post this to the openssl mailing
 list or here, but thought that it'd make sense to start
 here.  If that is not appropriate, please let me know?
 
 
 Anyway, we are upgrading some of our Apache instance to
 2.4.16 (on Redhat), and we are encountering a strange
 problem with SSL and CRLs.
 
 
 Our websites are configured for SSL client authentication
 with CRLs in a directory pointed to by
 SSLCACertificateRevocationPath and SSLCARevocationCheck set
 to "chain".  We then place our CRLs in the directory
 and create the hashes for them.
 
 However, when we tried to upgrade one of our production
 instances the requests are failing and, in the error logs,
 we are seeing the following messages:
 
 [ssl.debug] [pid 4866] ssl_engine_kernel.c: [client
 10.10.10.10-xxxx] Certificate Verification, depth 1, CRL
 checking mode: chain [subject: CN=CA4,OU=branch,.... /
 issuer: CN=Root 3,OU=branch,... / serial: 86 / notbefore:
 Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT]
 
 
 [ssl.info] [pid 4866] [client 10.10.10.10-xxxx] Certificate
 Verification: Error (12): CRL has expired [subject:
 CN=CA4,OU=branch,... / issuer: CN=Root 3,... / serial: 86 /
 notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1
 00:00:00 2021 GMT] 
 
 We checked all of the CRL files and they are all within
 their validity periods.
 
 
 The thing is that we have not been able to replicate this
 problem in our test environment, when we try to re-create a
 similar PKI heirarchy, so we (or I) suspect that there may
 be something going on with either the CRLs or cert files
 that we are getting from the CAs (but recall that these same
 CRLs worked with older Apache.  So I was wondering: If
 there is any known situations where that "Error 12" would be
 logged, but where the problem was being cause by something
 other than the CRL files actually being expired?
 
 As I said, this might be more of an openssl question?
 
 Thanks in advance,
 Jim
 
 ---------------------------------------------------------------------
 To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux